You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

243 lines
7.6 KiB

From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 17:48:35 +0200
Subject: CVE-2016-10397
Bug-Upstream: https://bugs.php.net/bug.php?id=73192
Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4
---
ext/standard/tests/url/bug73192.phpt | 30 +++++++++++++++++++++++++
ext/standard/tests/url/parse_url_basic_001.phpt | 20 ++---------------
ext/standard/tests/url/parse_url_basic_002.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_003.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_004.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_005.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_006.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_007.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_008.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_009.phpt | 4 ++--
ext/standard/url.c | 23 +------------------
11 files changed, 49 insertions(+), 56 deletions(-)
create mode 100644 ext/standard/tests/url/bug73192.phpt
diff --git a/ext/standard/tests/url/bug73192.phpt b/ext/standard/tests/url/bug73192.phpt
new file mode 100644
index 0000000..6ecb477
--- /dev/null
+++ b/ext/standard/tests/url/bug73192.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #73192: parse_url return wrong hostname
+--FILE--
+<?php
+
+var_dump(parse_url("http://example.com:80#@google.com/"));
+var_dump(parse_url("http://example.com:80?@google.com/"));
+
+?>
+--EXPECT--
+array(4) {
+ ["scheme"]=>
+ string(4) "http"
+ ["host"]=>
+ string(11) "example.com"
+ ["port"]=>
+ int(80)
+ ["fragment"]=>
+ string(12) "@google.com/"
+}
+array(4) {
+ ["scheme"]=>
+ string(4) "http"
+ ["host"]=>
+ string(11) "example.com"
+ ["port"]=>
+ int(80)
+ ["query"]=>
+ string(12) "@google.com/"
+}
diff --git a/ext/standard/tests/url/parse_url_basic_001.phpt b/ext/standard/tests/url/parse_url_basic_001.phpt
index a6f4f7a..282f80a 100644
--- a/ext/standard/tests/url/parse_url_basic_001.phpt
+++ b/ext/standard/tests/url/parse_url_basic_001.phpt
@@ -759,25 +759,9 @@ echo "Done";
int(6)
}
---> http://?:/: array(3) {
- ["scheme"]=>
- string(4) "http"
- ["host"]=>
- string(1) "?"
- ["path"]=>
- string(1) "/"
-}
+--> http://?:/: bool(false)
---> http://@?:/: array(4) {
- ["scheme"]=>
- string(4) "http"
- ["host"]=>
- string(1) "?"
- ["user"]=>
- string(0) ""
- ["path"]=>
- string(1) "/"
-}
+--> http://@?:/: bool(false)
--> file:///:: array(2) {
["scheme"]=>
diff --git a/ext/standard/tests/url/parse_url_basic_002.phpt b/ext/standard/tests/url/parse_url_basic_002.phpt
index c05d1f4..f222ffc 100644
--- a/ext/standard/tests/url/parse_url_basic_002.phpt
+++ b/ext/standard/tests/url/parse_url_basic_002.phpt
@@ -98,8 +98,8 @@ echo "Done";
--> http://::? : string(4) "http"
--> http://::# : string(4) "http"
--> x://::6.5 : string(1) "x"
---> http://?:/ : string(4) "http"
---> http://@?:/ : string(4) "http"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : string(4) "file"
--> file:///a:/ : string(4) "file"
--> file:///ab:/ : string(4) "file"
diff --git a/ext/standard/tests/url/parse_url_basic_003.phpt b/ext/standard/tests/url/parse_url_basic_003.phpt
index 88eda50..70dc4bb 100644
--- a/ext/standard/tests/url/parse_url_basic_003.phpt
+++ b/ext/standard/tests/url/parse_url_basic_003.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : string(1) ":"
--> http://::# : string(1) ":"
--> x://::6.5 : string(1) ":"
---> http://?:/ : string(1) "?"
---> http://@?:/ : string(1) "?"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_004.phpt b/ext/standard/tests/url/parse_url_basic_004.phpt
index e3b9abd..7ddddaf 100644
--- a/ext/standard/tests/url/parse_url_basic_004.phpt
+++ b/ext/standard/tests/url/parse_url_basic_004.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : int(6)
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_005.phpt b/ext/standard/tests/url/parse_url_basic_005.phpt
index 1fc946e..788ed00 100644
--- a/ext/standard/tests/url/parse_url_basic_005.phpt
+++ b/ext/standard/tests/url/parse_url_basic_005.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : string(0) ""
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_006.phpt b/ext/standard/tests/url/parse_url_basic_006.phpt
index 5104326..3e410d9 100644
--- a/ext/standard/tests/url/parse_url_basic_006.phpt
+++ b/ext/standard/tests/url/parse_url_basic_006.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_007.phpt b/ext/standard/tests/url/parse_url_basic_007.phpt
index 8e04553..1b362bb 100644
--- a/ext/standard/tests/url/parse_url_basic_007.phpt
+++ b/ext/standard/tests/url/parse_url_basic_007.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : string(1) "/"
---> http://@?:/ : string(1) "/"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : string(2) "/:"
--> file:///a:/ : string(3) "a:/"
--> file:///ab:/ : string(5) "/ab:/"
diff --git a/ext/standard/tests/url/parse_url_basic_008.phpt b/ext/standard/tests/url/parse_url_basic_008.phpt
index 0c77221..1271f38 100644
--- a/ext/standard/tests/url/parse_url_basic_008.phpt
+++ b/ext/standard/tests/url/parse_url_basic_008.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_009.phpt b/ext/standard/tests/url/parse_url_basic_009.phpt
index 487b271..72f172a 100644
--- a/ext/standard/tests/url/parse_url_basic_009.phpt
+++ b/ext/standard/tests/url/parse_url_basic_009.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 5c926bf..f0e2790 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -214,28 +214,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
goto nohost;
}
- e = ue;
-
- if (!(p = memchr(s, '/', (ue - s)))) {
- char *query, *fragment;
-
- query = memchr(s, '?', (ue - s));
- fragment = memchr(s, '#', (ue - s));
-
- if (query && fragment) {
- if (query > fragment) {
- e = fragment;
- } else {
- e = query;
- }
- } else if (query) {
- e = query;
- } else if (fragment) {
- e = fragment;
- }
- } else {
- e = p;
- }
+ e = s + strcspn(s, "/?#");
/* check for login and password */
if ((p = zend_memrchr(s, '@', (e-s)))) {